A typical computer system uses a single internet protocol (IP) address assigned to the computer system. Any user session or program on the computer will use the IP address of the computer for network communications on a TCP/IP network. Communications over the network to and from the computer, for example between a client and a server, use the computer's IP address as part of the network communications of the computer. In a virtual private network environment, a remote user may establish a virtual private network connection from a client to a second network, such as via an SSL VPN connection from a client on a public network to a server on a private network. On the second network, a second IP address is used for communications between the client and the server.
A user of the virtual private network may log in via the same computing device or roam between computing devices. For each login session, a different second IP address may be used for virtual private network communications. Also, for each computing device of the user, a different second IP address may be used for virtual private network communications. As such, the user and/or computing device of the user may be associated with different IP addresses on the virtual private network at various times. In some cases, the user may have multiple virtual private network sessions concurrently, and thus, multiple IP addresses on the private network. Identifying, tracking or managing the virtual private network addresses of remote users is challenging, and may be compounded in an environment with a multitude of remote virtual private network users.
One challenge with assigning IP addresses for users of a virtual private network is handling failures with devices providing the IP address. A first device, such as a gateway, may assign the user a first IP address for use on a private network. The first device may experience a failure. The user may need to gain access to the private network via a second device, such as a second gateway. This second device may assign the user a second IP address for use on the private network. This may cause problems in communications with the private network as the client, applications and/or a server may expect the user to be using the first IP address.
Another challenge with failovers in a virtual private network environment is security. A gateway device providing VPN connectivity may authorize a client to access the network. The gateway may check if the client device has attributes meeting one or more conditions for accessing the network. For example, the gateway may check if the client has security software installed or the appropriate operating system patch. Upon authorization, a user may access the private network via the gateway such as via a SSL VPN session. At some point, the gateway may fail or operation may be interrupted. The client may re-establish the SSL VPN session with the network. However, the attributes of the client upon which the client was authorized may have changed since establishing the session. For example, security software or operating system patches on the device may have been installed or removed. This may leave the network vulnerable to these changes when re-establishing sessions with previously authorized clients.